lambda 函数 IAM 角色是否需要 IAM 权限才能调用自身?
[英]Does a lambda function IAM role require an IAM permission to invoke itself?
问题描述
Question
题
Does the IAM role of a lambda function require an IAM permission to invoke itself? lambda 函数的 IAM 角色是否需要 IAM 权限才能调用自身?
Background背景
Reading Tutorial: Process New Items with DynamoDB Streams and Lambda .阅读教程:使用 DynamoDB Streams 和 Lambda 处理新项目。
It looks the IAM role of the lambda function to process DynamoDB stream records has the IAM permission to invoke the function itself (and plus).看起来处理 DynamoDB 流记录的 lambda 函数的 IAM 角色具有调用函数本身(以及附加)的 IAM 权限。
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:region:accountID:function:publishNewBark*"
WooferLambdaRolePolicy低音炮LambdaRolePolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:region:accountID:function:publishNewBark*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:region:accountID:*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams"
],
"Resource": "arn:aws:dynamodb:region:accountID:table/BarkTable/stream/*"
},
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"*"
]
}
]
}
aws iam put-role-policy --role-name WooferLambdaRole \
--policy-name WooferLambdaRolePolicy \
--policy-document file://role-policy.json
aws lambda create-function \
--region us-east-1 \
--function-name publishNewBark \
--zip-file fileb://publishNewBark.zip \
--role roleARN \ <--- Replace roleARN with the ARN for WooferLambdaRole.
--handler publishNewBark.handler \
--timeout 5 \
--runtime nodejs10.x
Is there a reason why the IAM permission to invoke the lambda function itself needs to be attached to the IAM role of the lambda?调用 lambda 函数本身的 IAM 权限需要附加到 lambda 的 IAM 角色是否有原因? Or is there a specific reason related with DynamoDB stream processing?或者是否有与 DynamoDB 流处理相关的特定原因?
1 个解决方案
解决方案1
3 已采纳 2020-03-31 03:53:17
What you are describing is an example of AWS Lambda Event Source Mapping and its only for Kinesis, DynamDB and SQS.您所描述的是AWS Lambda 事件源映射示例,并且仅适用于 Kinesis、DynamDB 和 SQS。
However, you are not giving permissions to your function to invoke itself.但是,您没有授予函数调用自身的权限。 Instead you are giving the AWS Lambda Service (not your function) permissions to invoke your function.相反,您授予 AWS Lambda 服务(不是您的函数)调用您的函数的权限。 The reasons is the Lambda Service will be processing the DynamoDB stream on your behalf in a background and it will be invoking your function with stream's records when available.原因是 Lambda 服务将在后台代表您处理 DynamoDB 流,并且将在可用时使用流的记录调用您的函数。
Note that the trust policy for WooferLambdaRole role is for lambda.amazonaws.com :请注意, WooferLambdaRole角色的信任策略适用于lambda.amazonaws.com :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
The trust policy means that the lambda service (again not your function, but the aws lambda service itself) will be able to assume the role containing WooferLambdaRolePolicy .信任策略意味着 lambda 服务(同样不是您的函数,而是 aws lambda 服务本身)将能够承担包含WooferLambdaRolePolicy的角色。 Subsequently the lambda service will be able to work with DynamoDB and invoke your function.随后,lambda 服务将能够使用 DynamoDB 并调用您的函数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.